PRIVACY POLICY
Forty + One Hotel
BOSU SBS Hotel GmbH
Last updated: February 2026
The data controller responsible for the processing of your personal data on this website is:
Company: BOSU SBS Hotel GmbH
Brand: Forty + One Hotel
Address: Schönbrunner Straße 41, 1050 Vienna, Austria
Managing Director: Denys Sukhorebsky
Company Registration: FN 631693 k – Tribunale commerciale di Vienna
Operated by: Dwell Bell
E-mail: [email protected]
Telefono: +43 1 424 00 34
If you have any questions about data protection or wish to exercise your rights, please contact us at the email address above. We will respond within one month in accordance with GDPR requirements.
This privacy policy explains how we collect, use, store, and protect your personal data when you visit our website (https://fortyplusone.at), make a booking, stay at our hotel, subscribe to our newsletter, or otherwise interact with us. It has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Austrian Data Protection Act (Datenschutzgesetz, “DSG”).
We process personal data only when there is a lawful basis to do so and only for the purposes described in this policy.
We process your personal data on the following legal bases under Article 6(1) GDPR:
When you visit our website, the following data is automatically collected for technical and security reasons (legal basis: legitimate interest, Art. 6(1)(f) GDPR):
When you make a reservation or stay at our hotel, we collect the following data (legal basis: contract performance, Art. 6(1)(b), and legal obligation, Art. 6(1)(c) GDPR):
When you contact us via the website form or email, we collect your name, email address, and the content of your message (legal basis: consent, Art. 6(1)(a), or pre-contractual measures, Art. 6(1)(b) GDPR).
If you subscribe to our newsletter, we collect your email address and, optionally, your name. We use Mailchimp (The Rocket Science Group LLC, Atlanta, USA) to manage our email marketing. Your data is stored on Mailchimp’s servers in the United States – see Section 9 for information about international transfers.
Legal basis: Your explicit consent (Art. 6(1)(a) GDPR). You may unsubscribe at any time using the unsubscribe link in each email or by contacting us directly. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
See Section 8 below for detailed information about cookies and tracking.
We use your personal data for the following purposes:
We share your personal data with the following categories of recipients, only to the extent necessary:
We use the following service providers who process data on our behalf under data processing agreements (Art. 28 GDPR):
We do not sell your personal data to any third party.
We retain your personal data only for as long as is necessary for the purpose for which it was collected or as required by law:
|
Data Category |
Retention Period |
Legal Basis |
|
Guest registration data |
7 years |
Austrian tax retention (§ 132 BAO) |
|
Booking and payment data |
7 years |
Tax and accounting obligations |
|
Contact form enquiries |
6 months |
After completion of enquiry |
|
Newsletter subscriber data |
Until unsubscribe |
Consent (Art. 6(1)(a) GDPR) |
|
Server log files |
14 days |
Website security (legitimate interest) |
|
Cookie consent records |
3 years |
Proof of consent (accountability) |
|
Google Analytics data |
14 months |
Consent; GA4 default retention |
|
Marketing consent data |
Until withdrawal |
Consent (Art. 6(1)(a) GDPR) |
After the retention period expires, data is securely deleted or anonymised.
Our website uses cookies – small text files stored on your device by your browser.
Strictly necessary cookies: These are essential for the website to function (e.g. session management, cookie consent preferences, security). They do not require your consent (§ 165(3) TKG 2021, Art. 5(3) ePrivacy Directive).
Analytics cookies (Google Analytics): These help us understand how visitors use our website. We only set these cookies after you have given explicit consent.
Advertising/marketing cookies (Meta Pixel, Google Ads): These are used to measure the effectiveness of our advertising and to display relevant ads. We only set these cookies after you have given explicit consent.
Our website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies to analyse your use of the website. The information generated is usually transferred to a Google server in the USA and stored there.
We have enabled IP anonymisation, so your IP address is truncated within the EU/EEA before being transmitted. Google Analytics is activated only after you provide explicit consent via our cookie consent banner.
You can find Google’s privacy policy at: https://policies.google.com/privacy
Our website uses Google Ads conversion tracking, provided by Google Ireland Limited. When you click on an ad served by Google, a conversion tracking cookie is placed on your device. This cookie helps us measure the effectiveness of our advertising campaigns. Google Ads conversion tracking is activated only after you provide explicit consent.
Our website uses the Meta Pixel (formerly Facebook Pixel), a tracking tool provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. The Meta Pixel is activated only after you provide explicit consent via our cookie consent banner.
The Meta Pixel collects data such as your IP address, browser information, pages visited, and actions taken on our website. This data is used to measure the effectiveness of our advertising campaigns and to display targeted advertisements on Facebook and Instagram. Data may be transferred to Meta Platforms, Inc. in the United States – see Section 9.
When you first visit our website, a cookie consent banner is displayed. You may accept or reject non-essential cookies by category (analytics, marketing). You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our website. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
Some of our service providers are located outside the European Economic Area (EEA), specifically in the United States. Where personal data is transferred to countries outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR:
You may request a copy of the relevant safeguards by contacting us at [email protected].
Under the GDPR and the Austrian DSG, you have the following rights regarding your personal data:
|
Right |
Description |
|
Right of Access (Art. 15) |
You can request confirmation of whether we process your data and obtain a copy of it. |
|
Right to Rectification (Art. 16) |
You can request correction of inaccurate or incomplete personal data. |
|
Right to Erasure (Art. 17) |
You can request deletion of your data where there is no compelling reason for continued processing. |
|
Right to Restriction (Art. 18) |
You can request that we restrict the processing of your data in certain circumstances. |
|
Notification Obligation (Art. 19) |
We will notify each recipient of any rectification, erasure, or restriction unless this proves impossible or involves disproportionate effort. |
|
Right to Data Portability (Art. 20) |
You can request your data in a structured, commonly used, machine-readable format. |
|
Right to Object (Art. 21) |
You can object to processing based on legitimate interest. We will cease processing unless we have compelling grounds. |
|
Automated Decisions (Art. 22) |
You have the right not to be subject to decisions based solely on automated processing, including profiling. |
|
Right to Withdraw Consent (Art. 7(3)) |
Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. |
To exercise any of these rights, please contact us at [email protected]. We will respond within one month. If we need to extend this period (by up to two additional months due to complexity or volume), we will inform you within the first month.
Right to lodge a complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde):
Address: Barichgasse 40-42, 1030 Vienna, Austria
Website: https://www.dsb.gv.at/
E-mail: [email protected]
Under the Austrian Registration Act (Meldegesetz), we are legally required to register all guests and report their data to the relevant municipal authority. This is a legal obligation (Art. 6(1)(c) GDPR) and does not require your consent.
If you are the main traveller or group leader, we kindly ask you to inform any accompanying guests about this data processing prior to arrival.
Data shared with the municipality/city and the tourism association is limited to what is required by law and is transmitted securely.
Our web hosting provider (DigitalOcean) automatically collects and stores information in server log files that your browser transmits when you visit our website. This includes your IP address, browser type and version, operating system, referring URL, Internet service provider, and date/time of access.
This data is processed on the basis of our legitimate interest in ensuring website security and stability (Art. 6(1)(f) GDPR). Log files are retained for 14 days and then automatically deleted. This data is not combined with other personal data sources.
If you contact us via our website form or by email, we store your name, email address, and message content for the purpose of processing your enquiry and for follow-up correspondence. This data is retained for 6 months after the enquiry has been completed, unless a longer retention is required for contractual or legal reasons.
Legal basis: Consent (Art. 6(1)(a) GDPR) if you initiated the contact, or pre-contractual measures (Art. 6(1)(b) GDPR) if the enquiry relates to a potential booking. We will not share this data with third parties without your consent.
If you send us personal data by email outside of this website, we cannot guarantee the secure transmission and protection of your data. We recommend that you do not send confidential or sensitive data via unencrypted email.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, in accordance with Article 32 GDPR. These measures include:
Access controls and authentication for internal systems
Regular security assessments and updates
Data processing agreements (Art. 28 GDPR) with all service providers
PCI DSS-compliant payment processing through Adyen
Our website and services are not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent. If you believe a child’s data has been collected without appropriate consent, please contact us and we will delete it promptly.
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or services. The current version will always be available on our website at https://fortyplusone.at/privacy-policy/. We encourage you to review this policy periodically. Material changes will be communicated via our website.
In accordance with the Regulation on Online Dispute Resolution in Consumer Affairs (ODR Regulation), we inform you that the European Commission’s Online Dispute Resolution Platform is available at: https://ec.europa.eu/odr
We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
For all data protection enquiries, please contact:
BOSU SBS Hotel GmbH / Forty + One Hotel
Operator: Dwell Bell
Address: Schönbrunner Straße 41, 1050 Vienna, Austria
E-mail: [email protected]
Telefono: +43 1 424 00 34
